HOMEVULNERABILITIESCVE-2025-64328
HIGHCISA KEVIN THE WILD

CVE-2025-64328

Published: February 3, 2026

7.2
CVSS v3.1
EPSS:17.45%probability of exploitation in 30 daysPercentile:94.9th

Official Description

Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.

NVD Source

CISA KEV Advisory

Sangoma FreePBX OS Command Injection Vulnerability

Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.

Added to KEV: 2026-02-03Federal patch deadline: 2026-02-24
Required Action (CISA)

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Risk Analysis

Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that allows a post-authentication command injection by an authenticated user. The high CVSS score, EPSS score, and confirmed exploitation indicate this is a severe vulnerability that is actively being targeted for remote access.

This vulnerability is actively exploited in the wild and is listed in CISA's KEV catalog. While it requires prior authentication, its remote exploitability and potential for remote access as an asterisk user make it a significant threat.

Recommended Action

Apply available patches for Sangoma FreePBX Endpoint Manager to address this OS command injection vulnerability. Implement strong authentication and regularly audit user accounts and permissions to prevent unauthorized access.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2025-64328 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires high privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.2.

CISA has added CVE-2025-64328 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.High
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2025-64328
CVSS Score7.2 / 10
SeverityHIGH
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)17.45%
PublishedFeb 3, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-64328 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.